Chris Heuman, the Practice Leader for RISC Management and Consulting will be presenting at the Genesis Health Alliance (GHA) Vendor Fair at Evansville, IN.

When: April 10th, 2014

Chris will join key partners to present to members of GHA on the topic of HIPAA’s Contingency Plan Standard – What’s required, what steps should be completed, how to develop documentation, how and what to test

Join Chris Heuman and RISC to learn real world scenarios and steps for success in meeting this extremely difficult Standard in the HIPAA Security Rule. RISC will introduce leading edge solutions that facilitate a Covered Entity or Business Associate’s compliance with these difficult-to-manage requirements.

To bring this presentation to your site or via ,Contact RISC to receive more information in identifying, documenting, addressing, and eliminating risk to all of your sensitive information.

In support of knowing what data and which systems are most critical to an organization, and which systems and applications are in-scope for HIPAA, RISC recommends Data Loss Prevention (DLP) solutions.

RISC DLP Solutions

​The first step in any information security and compliance program is understanding what data your organization has, where it is located, and who is using it; authorized or unauthorized. RISC Management’s DLP solution can assist you in finding the sensitive information that is created, collected, stored, processed, transmitted, disclosed, or archived by your organization. Complete and accurate knowledge is necessary in order to understand what laws or requirements apply to your organization, and which members of your workforce may require training or monitoring.

RISC Management can help you watch the sensitive information flowing into, throughout, and out of your network without impacting performance or requiring infrastructure modifications.

Genesis Health Alliance (GHA) is an organization that brings together 20 hospitals from the Southeast Illinois, Southwest Indiana, and Western Kentucky with the mission of improving the health status of the community they serve. Their other objective is to provide a group purchasing initiative to assist the hospital members in improving services and reducing operational costs. GHA is governed by a Board of Directors that meets quarterly.

To bring this presentation to your site or via WebEx, Contact RISC to receive more information in identifying, documenting, addressing, and eliminating risk to all of your sensitive information.

Mobile devices—laptop computers, handhelds, smart phones, and portable storage media— have opened a world of opportunities to un-tether EHRs from the desktop. But these opportunities also present threats to information security and privacy. Some of these threats overlap those of the desktop world, but others are unique to mobile devices.

Because of their mobility, these devices are easy to lose and vulnerable to theft.

Mobile devices are more likely than stationary ones to be exposed to electro-magnetic interference (EMI), especially from other medical devices, such as MRI machines. This interference can corrupt the information stored on a mobile device.

Because mobile devices may be used in places where the device can be seen by others, extra care must be taken by the user to prevent unauthorized viewing of the PHI displayed on a laptop or handheld device.

Not all mobile devices are equipped with strong authentication and access controls. Extra steps may be necessary to secure mobile devices from unauthorized use. Laptops should have password protection that conforms to that described in Practice 1 . Many handheld devices can be configured with password protection and this should be enabled when available. Additional steps must be taken to protect PHI on the handheld, including extra precaution over the physical control of the device, if password protection is not provided.

Laptop computers and handheld devices are often used to transmit and receive data wirelessly. These wireless communications must be protected from intrusion (Practice 6 describes wireless network protection). PHI transmitted unencrypted across public networks (e.g. the Internet, public Wi-Fi services) can be done where the patient requests it and has been informed of the potential risks. Generally, however, PHI should not be transmitted without encryption across these public networks.

Transporting data with mobile devices is inherently risky. There must be an overriding justification for this practice that rises above mere convenience. If healthcare data is stored on the mobile device, ensure that encryption is installed and enabled. The newest iPhone models have achieved FIPS 140-2 certification for their encryption modules. Mobile devices that cannot support encryption should not be used. This includes the inexpensive memory sticks or thumb drives that are widely available and often given away by vendors. Encrypted versions of these devices are readily obtainable at a modest cost—much less than the cost of mitigating a data breach. Remember to encrypt the removable media like the microSD card in your phone.

If it is absolutely necessary to take a laptop out of a secure area when the laptop contains patient data, the laptop’s hard drive should be encrypted. Encryption for laptops has become so affordable, and so easy to install and manage, it is hard to envision a reason that all laptops are not encrypted today. To leave a laptop unencrypted is to invite unnecessary risk to your organization and to ignore the benefits such as safe harbor from federal and state data breach laws.

Policies specifying the circumstances under which devices may be removed from the facility are very important and all due care must be taken in developing and enforcing these. The primary goal is to protect the patient’s information, so considerations of convenience or custom (e.g. working from home) must be considered in that light.

But I need to work at home today…

In today’s increasingly mobile world, it is certainly tempting to use mobile technology to break away from the office and perform work from the comfort of home, a travel hub, or a coffee shop. Those who have responsibility for protecting patient data must recognize that this responsibility does not end at the office door. Good security practices must always be followed.